Age | Commit message (Collapse) | Author |
|
snmp: T2998: SNMP v3 oid "exclude" option fix
|
|
|
|
|
|
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254>
(partially cherry-picked from 1f07dcbddfcfdbb9079936ec479c5633934dd547)
|
|
|
|
wireguard: T5413: Blocked adding the peer with the router's public key
|
|
pppoe: T5630: make MRU default to MTU if unspecified (backport #2527)
|
|
Disabled adding the peer with the same public key as the router has.
Backport from current
https://github.com/vyos/vyos-1x/pull/2122
|
|
TFTP VRF support is working on a live system but the smoketests tend to fail.
This commit removes the VRF based smoketests for TFTP server, to make
the equuleus Jenkins builds work again.
|
|
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU
in addition to already configurable MTU") and restores the bahavior that MRU
defaults to MTU if MRU is not explicitly set.
This was the behavior in VyOS 1.3.3 and below before we added ability to define
the MRU value.
(cherry picked from commit ffd7339e2ea3eafdd97ac0763ca4a3913fe71bf3)
|
|
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
|
|
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send
packets of no more than n bytes. The value of n must be between 128 and 16384,
the default was always 1492 to match PPPoE MTU.
A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
CLI:
set interfaces pppoe pppoe0 mru 1280
(cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
|
|
|
|
Add interface type veth (Virtual ethernet)
One of the usecases it's interconnect different vrf's and
default vrf via bridge
set interfaces virtual-ethernet veth0 peer-name 'veth1010'
set interfaces virtual-ethernet veth1010 address '10.0.0.10/24'
set interfaces virtual-ethernet veth1010 peer-name 'veth0'
set interfaces virtual-ethernet veth1010 vrf 'foo'
set interfaces bridge br0 address '10.0.0.1/24'
set interfaces bridge br0 member interface veth0
vyos@r1:~$ ping 10.0.0.10 count 1
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.082 ms
|
|
After commit 9c677c8 ("vyos.util: extend process_named_running() signature
with cmdline") we need an exact match for the process name. In the past
we used a in b and now we test for a == b.
Process name doesn't march 'ddclient'
psutil.Process(pid=10987, name='ddclient - sleeping for 20 seconds', started='13:12:47'
It cause smoketest fail
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
set high-availability vrrp group <name> version 2|3
(cherry picked from commit 6ca308182a7891e600a2e8749f7b12b566005576)
|
|
|
|
This extends commit c6016db17ef ("smoketest: tftp: T4012: add busy waiting loop
when validating service availability") so that we also wait when reading in
the VRF result(s).
|
|
T4971: PPPoE server add named ip pool and attr Framed-Pool
|
|
T1993: PPPoE-server add section shaper and fwmark option
|
|
Replace links to the phabricator site from https://phabricator.vyos.net to
https://vyos.dev
(cherry-picked form commit bd9416a6aa9d5d0a746dc2cebc8d0330fd27d1a2)
|
|
Add a new feature to allow to use named pools
Also it can be used with RADIUS attribute 'Framed-Pool'
set service pppoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service pppoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
|
|
Extended PPPoE-server rate-limiter to avoid shaping marked resources
Often this feature needs for ISP, which provides access to some IX
or its resources.
set service pppoe-server shaper fwmark '223'
|
|
availability
TFTP daemon is started as "fire and forget" and systemctl can return (thus
commit will return) but the daemon itself is not yet running.
This adds a loop checking if the service runs and will fail after 10 seconds.
|
|
Some ISPs seem to use the host-uniq flag to authenticate client equipment.
Add CLI option in VyOS to allow specification of the host-uniq flag.
set interfaces pppoe pppoeN host-uniq <value>
(cherry-picked from commit 38bab79324087df5a9057c23b85a0a784c09540a)
|
|
(cherry picked from commit 5cd2cd89b295c728f21c418c3fa081560a00eefc)
|
|
Commit cca7ec3e ("T4832: dhcp: Add IPv6-only dhcp option support (RFC 8925)")
extended the smoketests but used int over str when calilng the CLI wrapper.
This led to:
TypeError: sequence item 7: expected str instance, int found
(cherry picked from commit a741a9297f02f938653aeaa1af3c4a57364e9215)
|
|
[1.3] T4832: dhcp: Add dhcp option to signal IPv6-only support (RFC 8925)
|
|
The podman version used in VyOS 1.3 differs from the one used in VyOS 1.4 as
it is currently not possible to build podman 4.2 for Debian Buster. Due to this
restriction we need to adjust the handling of the JSON output when working with
container networks.
|
|
container: T578: backport podman from 1.4 development branch (equuleus)
|
|
|
|
(cherry picked from commit 7923e7c57a7492111c7cec8b04228db0a6f00af3)
|
|
T4809: radvd: (Backport) Allow the use of AdvRASrcAddress
|
|
(cherry picked from commit 65b104d6e0608e229aa36d948fabddaf3f4a0a8b)
|
|
T3810: Fixed all issues in T3810
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
5. Fixed generation dest local sections in squidGuard.conf
6. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
7. Backported all changes from 1.4 to 1.3 which were made in T3810
8. Fixed webproxy smoketest
|
|
backport: T4515: T4219: policy local-route6 and inbound-interface support
|
|
Clients supporting this DHCP option (DHCP option 108, per RFC 8925) will
disable its IPv4 network stack for configured number of seconds
and operate in IPv6-only mode.
Example clients supporting this option including iOS 15+ and macOS 12.0.1+.
|
|
(cherry picked from commit f3420a967ad5597c57093b5279a844dca4c516c0)
|
|
The VLAN aware bridge was forwarding traffic between member ports, but traffic
destined torwards the CPU was dropped. This resulted in a gateway not reachable
or DHCP leases that could not be handed out.
Tested via:
VyOS
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 allowed-vlan '10'
set interfaces bridge br0 member interface eth1 allowed-vlan '20'
set interfaces bridge br0 member interface eth1 allowed-vlan '30'
set interfaces bridge br0 member interface eth1 allowed-vlan '40'
set interfaces bridge br0 member interface eth1 native-vlan '40'
set interfaces bridge br0 member interface eth2 allowed-vlan '30'
set interfaces bridge br0 member interface eth2 allowed-vlan '20'
set interfaces bridge br0 member interface eth2 allowed-vlan '10'
set interfaces bridge br0 member interface eth2 allowed-vlan '40'
set interfaces bridge br0 vif 10 address '10.0.10.1/24'
set interfaces bridge br0 vif 20 address '10.0.20.1/24'
set interfaces bridge br0 vif 30 address '10.0.30.1/24'
set interfaces bridge br0 vif 40 address '10.0.40.1/24'
Arista vEOS
vlan 10,20,30,40
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
interface Vlan10
ip address 10.0.10.2/24
interface Vlan20
ip address 10.0.20.2/24
interface Vlan30
ip address 10.0.30.2/24
interface Vlan40
ip address 10.0.40.2/24
interface Ethernet1
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
spanning-tree portfast
Cisco vIOS
interface GigabitEthernet0/0
ip address 10.0.40.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.10.3 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.20.3 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.30.3 255.255.255.0
!
(cherry picked from commit f60d0e1ce029925b843f635b36154c90049b9577)
|
|
set vpn openconnect network-settings split-dns <domain>
(cherry picked from commit e41685a2f56cca0a53b4f8c084f61a85cf561c80)
|
|
(cherry picked from commit bd102eac6d0c97a5f75324d1248814ebdad42da5)
|
|
AES-GCM-256
(cherry picked from commit e19889adf8cef101d85a279055271a68b078ec73)
|
|
(cherry picked from commit 17e76dc77801ac58b2587f664c884c0d671a55c0)
|
|
aware bridge
(cherry picked from commit dbc8e243e13b370e74c6ab20b642c881b6377bd5)
|
|
snmp: T2763: Add protocol TCP for service SNMP
|
|
equuleus: Bond and Bridge interface fixes + new smoketests
|
|
(cherry picked from commit 74d6a7e4fc9e2e929c5f899070e6fc3e3e3b5ceb)
|
|
Linux Kernel supports to specify the MII link monitoring frequency in
milliseconds. This determines how often the link state of each slave is
inspected for link failures. A value of zero disables MII link monitoring.
A value of 100 is a good starting point.
The default value is 100.
set interfaces bonding bond0 mii-mon-interval <n>
(cherry picked from commit 4315c8fa5bb090e2b7edd6bda205041623e2511d)
|